New oneplus6t wireguard client

modules/wireguard-client/default.nix

@@ -1,29 +1,23 @@
-{config, ...}: {
+{
+  config,
+  fleetFlake,
+  ...
+}: {
   networking.firewall = {
-    allowedUDPPorts = [51820]; # Clients and peers can use the same port, see listenport
+    allowedUDPPorts = [51820];
   };
-  # Enable WireGuard
   networking.wireguard.interfaces = {
-    # "wg0" is the network interface name. You can name the interface arbitrarily.
     wg0 = {
-      ips = ["10.100.0.2/32"];
+      ips = ["${(import "${fleetFlake}/lib").ips."${config.networking.hostName}"}/32"];
-      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+      listenPort = 51820;
 
       privateKeyFile = config.age.secrets."${config.networking.hostName}-wireguard-private-key".path;
 
       peers = [
         {
-          # Public key of the server (not a file path).
           publicKey = "O9V2PI7+vZm7gGn3f9SaTsJbVe9urf/jZkdXFz/mjVU=";
-
+          allowedIPs = ["10.100.0.0/24"];
-          # Forward all the traffic via VPN.
-          # allowedIPs = [ "0.0.0.0/0" ];
-          # Or forward only particular subnets
-          allowedIPs = ["10.100.0.1"];
-
-          # Set this to the server IP and port.
           endpoint = "mothership.aciceri.dev:51820";
-
           persistentKeepalive = 25;
         }
       ];

modules/wireguard-server/default.nix

@@ -30,9 +30,13 @@
         {
           # thinkpad
           publicKey = "g8wId6Rl0olRFRtAnQ046ihPRYFCtMxOJ+/Z9ARwIxI=";
-          # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
           allowedIPs = ["10.100.0.2/32"];
         }
+        {
+          # oneplus6t
+          publicKey = "O6/tKaA8Hs7OEqi15hV4RwviR6vyCTMYv6ZlhsI+tnI=";
+          allowedIPs = ["10.100.0.3/32"];
+        }
       ];
     };
   };